The Privacy Nightmares of CISPA

A cybersecurity bill that many believe poses clear dangers to digital freedom is drawing the ire of digital freedom and civil liberties groups. The legislation, the Cybersecurity Intelligence Sharing Protection Act (CISPA), should be a major story all week.

In anticipation of headlines that might be made as members of Congress propose amendments to the bill and it continues to take shape before being voted on by the House on April 23, I recorded an interview on CISPA with Trevor Timm, who is a digital freedom activist with the Electronic Frontier Foundation. The interview was done to provide an overview of the possible effect or impact of this legislation if the bill were to pass and Timm described multiple privacy nightmares that could occur if the bill is passed in its current form.

Listen to the interview by clicking on the embedded player below or by going here.

TRANSCRIPT OF THE INTERVIEW

KEVIN GOSZTOLA, The Dissenter: Let’s start broadly first. I’d like to have you address why the Electronic Frontier Foundation and why you think privacy is so important.

TREVOR TIMM, EFF Activist: Privacy is especially important on the Internet cause of all the Internet we end up sending and receiving from each other and also to different companies and perhaps the government. A lot of the information that we have in our email boxes or our Facebook accounts aren’t necessarily protected by the same constitutional protections that protect letters and phone calls. This is because the Electronic Communications Privacy Act was written twenty-five years before email even existed and that’s what still governs what the government can and can’t take from companies and us about our information. And, the worst part about this bill CISPA – which stands for the Cyber Intelligence Sharing Protection Act – is that it essentially carves out a giant cybersecurity loophole into already watered-down protections for our communications. And what we’re really worried about is that companies will end up handing over large swaths of our emails, private messages on Facebook or Twitter, to the government with no judicial oversight.

The Privacy Nightmares of CISPA

A cybersecurity bill that many believe poses clear dangers to digital freedom is drawing the ire of digital freedom and civil liberties groups. The legislation, the Cybersecurity Intelligence Sharing Protection Act (CISPA), should be a major story all week.

In anticipation of headlines that might be made as members of Congress propose amendments to the bill and it continues to take shape before being voted on by the House on April 23, I recorded an interview on CISPA with Trevor Timm, who is a digital freedom activist with the Electronic Frontier Foundation. The interview was done to provide an overview of the possible effect or impact of this legislation if the bill were to pass and Timm described multiple privacy nightmares that could occur if the bill is passed in its current form.

Listen to the interview by clicking on the embedded player below or by going here.

TRANSCRIPT OF THE INTERVIEW

KEVIN GOSZTOLA, The Dissenter: Let’s start broadly first. I’d like to have you address why the Electronic Frontier Foundation and why you think privacy is so important.

TREVOR TIMM, EFF Activist: Privacy is especially important on the Internet cause of all the Internet we end up sending and receiving from each other and also to different companies and perhaps the government. A lot of the information that we have in our email boxes or our Facebook accounts aren’t necessarily protected by the same constitutional protections that protect letters and phone calls. This is because the Electronic Communications Privacy Act was written twenty-five years before email even existed and that’s what still governs what the government can and can’t take from companies and us about our information. And, the worst part about this bill CISPA – which stands for the Cyber Intelligence Sharing Protection Act – is that it essentially carves out a giant cybersecurity loophole into already watered-down protections for our communications. And what we’re really worried about is that companies will end up handing over large swaths of our emails, private messages on Facebook or Twitter, to the government with no judicial oversight.

GOSZTOLA: With that in mind, what is CISPA?

TIMM: The bill, which is written by Republican Mike Rogers and has over 100 co-sponsors, is going through the House right now. It is expected to be voted on April 23. What it purports to do is allow companies and the federal government to share information back and forth to prevent from crippling cyber attacks. And the part of the bill that allows government to share information with companies isn’t really what we have a problem with. It’s the other way around. Companies are now allowed to give information to the government about these cyber attacks. And the bill is written broadly, what it ends up doing is allowing companies to snoop through our communications, even the contents of our emails, and then hand it over to the government voluntarily.

Now, normally there are laws that protect us from companies and the government from reading our communications, like the Wiretap Act or the Electronic Communications Privacy Act. They can only do this is in very certain situations. But now this carves out this big cybersecurity loophole that allows them to both read our communications and then hand them over to the government and what the government does with it from there is another problem.

GOSZTOLA: As far as how there keeping the vagueness of what constitutes a cybersecurity threat – I mean, I’ve noticed in your work for EFF you’ve looked at how they would like to not define that. What can you say about this aspect?

TIMM: This is the problem. So, we don’t really know what a “cybersecurity threat information” is in this bill because it is written so broadly that it’s only really one sentence long and they can basically do anything with what they consider “cybersecurity threat information.” That would give them the authority to go into our emails.

There’s a couple other bills in the Senate that are kind of more specific and would give us an idea on where they are trying to go with this. And the specific bills are almost worse in some respects because they really lay out the real dangers in deciding cyber threat information like this. Basic privacy practices like using an anonymization service like Tor to hide your location or identity or even encrypting your emails could be considered a threat under the Senate bills. And the bills definitions even implicate a lot of practices that aren’t even close to cybersecurity threats or actually penetrate anyone’s network – port scans or DDoS traffic or things like that. So, there’s a lot of things in this bill that can trigger “cybersecurity threat information” and then allow companies to read your emails that wouldn’t necessarily contribute to a hack of these companies and so we’re worried that the companies will just be able to read our communications just by saying there’s a vague cybersecurity purpose and then hand them over to the government when there’s really nothing at all.

GOSZTOLA: I’ve noticed that a backlash has begun. There are groups getting together, like the Electronic Frontier Foundation. Some are labeling this SOPA 2, a way to backdoor that. It looks like there might have been some impact from this so far. Can you talk a little bit about – I notice you mention a change in how this could impact whistleblower websites. Since you’ve followed WikiLeaks before, where do you think CISPA is at when it comes to censoring whistleblower websites?

TIMM: There were two major things that we were worried about originally in this bill, which we were thinking they could have been a backdoor to SOPA 2.0. Originally they had defined “cyber threat intelligence” and “cyber threat purpose” as theft or misappropriation of government information, intellectual property or personal information. So, they had this giant intellectual property clause in this bill that would have given them the authority to either surveill for intellectual property violations or censor them because this information is going to [Department of Homeland Security] originally and they’re the ones that are in charge of a lot of domain seizures for copyright infringement.

Late last week they decided they were going to propose an amendment that would get rid of this clause entirely, the intellectual property clause. Unfortunately, it still talks about the misappropriation of government information so we’re still worried that could potentially be interpreted to mean that these ISPs can use the information to go after whistleblower websites that publish classified information or even mainstream news organizations that do the same thing like the Washington Post or The Guardian. So, now the bill authors have said this isn’t the intention of this bill but we’re worried that the bill is written so broadly that it could end up encompassing that kind of behavior.

GOSZTOLA: Now, as we wrap our conversation, can you talk about the hashtag campaign that EFF is promoting?

TIMM: We have a few things going on right now. I just published a “Frequently Asked Questions about CISPA” basically laying out all the privacy dangers from the companies looking into your emails to them giving them to the government and what the government can do with them after, including handing them to the NSA, which is what we’re really worried about given they’ve been accused of spying on the American public many times in the past.

So, what we’d like you to do is, number one, email your congressman. We have an action center setup on our website to make it easy for you to be able to do that. And then on Twitter, we’re also running a hashtag campaign in which you can target your member of Congress and send them a message with the hashtag #CongressTMI (too much information). The goal is to tell Congress everything you’re doing today. So, we want to show them that what the government may be getting is so much information on us that they don’t need. So we’re going to show them for a day what it is like to get too much information and so it can be personal, it can be mundane – Basically, whatever you want. Just send them a message to let them know that we don’t want this bill to pass in its current form because it invades the privacy of innocent Americans.

GOSZTOLA: And I would also like to know what EFF expects to happen with this bill. I know it is up for a House vote on April 23. Is there anything else people should know?

TIMM: There are several bills going through Congress right now, a couple major ones in the Senate. This is the most popular one in the House right now. It looks like it could have the most legs. The good news is the authors of the bill are starting to listen to us. Because of the SOPA protest, they’re so afraid of Internet backlash that they are willing to negotiate whereas they wouldn’t have negotiated before. Hopefully, if we draw enough attention to all the civil liberties deficits, they will listen and take the provisions out that we don’t like and pass a bill that doesn’t invade innocent Americans’ privacy.

For more on CISPA (and also WikiLeaks), follow Trevor Timm on Twitter – @WLLegal